Ask us a question

You are here

Rise of DDoS Amplification Attacks

Rise of DDoS Amplification Attacks

Since the end of February 2018, we’ve seen a rise of DDoS Amplification attacks, with in some case more than 1Tbps of traffic generated.  DDoS amplification attacks are very easy to launch and very difficult to protect against, putting almost any business at risk.   In this article, we will explain the context, the functioning and some ways to mitigate this kind of threat.
 

The DDoS Context

"In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet' - Wikipedia 

In the case of distributed denial-of-service attack (DDoS attack), the load of the attack is originating from many different sources, using generally a botnet and/or bad configured services (as we will see further). Unlike DoS, that type of attack makes difficult tracking the hacker and involves enormous bandwidth consumption of the victim.

There are many reasons for this type of attack, including the following:

  • Ideological: some kind of objection to a message conveyed by a company or a government (e.g.: Anonymous)
  • Smokescreen: used to hide a more complex attack, involving generally impersonation or data exfiltration
  • Challenge: to show a capability of a hacker to overcome or to size the security of a system

What’s more frightening is the ease of making a DDoS for cheap, even for someone with limited skills, because the artillery used is widely available for free or almost free.
 

What's an amplification attack? 

An amplification attack is a volumetric attack trying to exhaust the bandwidth of the victim through “reflection”, where an attacker will “ask” with a short message an information, in UDP, to a vulnerable service. The attacker will replace the source IP of the message with the IP of the victim, to convince the vulnerable service to “respond” directly to the victim. When the service responds with a message larger than the source message, it’s called amplification. The three-way handshake of TCP doesn’t allow that behaviour, as the source address cannot be spoofed - Wikipedia.

In this figure, we have described the specific case of a hacker sending directly a spoofed packet to several vulnerable services. In large scale attack, the hacker will use a botnet to send the initial packet from a big amount of sources, which will exponentially increase the effect of the attack.

The potential effect of an amplification attack can be measured by the Bandwidth Amplification Factor (BAF), which can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request (see below a list of known protocols and their associated BAFs.

Protocol

Bandwidth Amplification Factor

DNS

28 to 54

NTP

556.9

SNMPv2

6.3

NetBIOS

3.8

SSDP

30.8

CharGEN

358.8

QOTD

140.3

BitTorrent

3.8

Kad

16.3

Quake Network Protocol

63.9

Steam Protocol

5.5

Multicast DNS (mDNS)

2 to 10

RIPv1

131.24

Portmap (RPCbind)

7 to 28

LDAP

46 to 55

CLDAP

56 to 70

TFTP

60

Memcached

10,000 to 51,000

 

Prevention and Response

Here are some points that can help you in mitigating quickly an amplification attack:

  • An up to date network/service diagram.
  • A tested incident response plan with roles and contacts well defined (ideally also printed on paper, in case of unavailability of the whole network).
  • A proper monitoring system that will alert you at the start of a DDoS.
  • A firewall that block all traffic that is not explicitly permitted (incoming and outgoing).
  • Use a properly configured load balancer and make sure it does not become a single point of failure.
  • Assess regularly the security of your infrastructure and of your firewall rules.
  • Ask your provider (ISP) for some temporary filtering (traffic scrubbing or traffic shaping).
  • Take note of every action during an incident response (timestamp, actions, results, …).
  • Escalate to a third party if no other solutions.

And ... do not participate in a DDoS.   Prevent open or misconfigured UDP services to avoid participating in a future DDoS.
 

Our statistics for Belgium

The services that can be used for an Amplification attack are widely available all around the world. To give you an idea, we have compiled statistics on some vulnerable UDP service in Belgium, coming from Threat Intelligence and passive scans at Belgian level, as of mid-March 2018, that can be used for Amplification Attack (ordered by amplification factor):

Protocol

Bandwidth Amplification Factor

Vuln in Belgium

Memcached

10,000 to 51,000

55

NTP

556.9

10809

CharGEN

358.8

26

QOTD

140.3

49

DNS

28 to 54

2743

SSDP

30.8

2757

MS-SQL

25

537

Portmap (RPCbind)

7 to 28

6025

SNMPv2

6.3

5993

Multicast DNS (mDNS)

2 to 10

6093

NetBIOS

3.8

2683

 

Conclusion

  • DDoS Amplification Attacks are not a matter of skills for a hacker, since there is a plethora of tools, more or less freely accessible.
  • DDoS Amplification Attacks are difficult to mitigate since the IP of the hacker is hidden behind the reflection.
  • Huge quantity of vulnerable services that can be used for the DDoS are available all around the world. At least beware to not participate yourself.
  • You can the “Prevention and Response” section as inspiration for your own defence.
Do not hesitate to contact us if you need help to improve your protection and incident response.
 

Our approach to cyber-security

Our customers benefit from the expertise and talent of our people, combined with pragmatic and proven methods and the efficiency brought by our assets:

1

Expertise and talent

Since 2001 we have applied our experience in cyber-security gained in various industries, from small to large businesses. Our people are seasoned, certified professionals who continuously improve and extend their knowledge.

2

Pragmatic and proven methods

We rely on most recognised, easily auditable and adopted standards and good practices and apply them pragmatically. We always tailor our approach to your particular context, needs and organisation culture.

3

Asset-based approach

We make use of the most advanced and reliable tools and solutions to support our services. This enables us to be more efficient during delivery, enforce the use of standard auditable methods and provide transparency about our achievements and your results.

+
Certified professionals
0+
Success stories
0
Year of establishment
+ 0%
Average annual growth